The statistic has been circulating in the defense compliance community for months: fewer than 1% of defense industrial base contractors are estimated to be ready for CMMC certification. The number sounds dramatic. It’s also consistent with everything we’ve observed working with contractors across the readiness spectrum.
The question isn’t whether the readiness gap is real. It’s what’s causing it, how bad it actually is underneath the headline number, and what it means for contractors who haven’t started, for those who are mid-preparation, and for the defense supply chain that depends on all of them.
Where the Number Comes From
Multiple industry sources have cited variations of the “1% ready” figure, drawing from different data points: the number of contractors who have posted qualifying SPRS scores, the number who have completed gap assessments at the assessment-objective level, the number with assessment-ready documentation packages, and the nascent volume of completed C3PAO assessments.
No single authoritative dataset captures DIB-wide CMMC readiness. What we have is convergent evidence from multiple directions, all pointing to the same conclusion: the overwhelming majority of contractors who will need CMMC certification don’t have it and aren’t close to having it.
The 1% figure likely overstates readiness when you apply a strict definition. Having a SPRS score posted isn’t the same as being assessment-ready. A self-reported score of 90 doesn’t mean an independent assessor would agree. Among contractors we’ve supported through readiness reviews, the gap between self-reported compliance and independently verified compliance is routinely large enough to change the assessment outcome. Controls that contractors scored as MET often can’t produce assessment-ready evidence. Documentation that exists on paper doesn’t match the current environment. The gap between “we think we’re compliant” and “we can prove we’re compliant under assessment” is where most of the readiness deficit lives.
Why the Gap Is This Wide
The readiness gap didn’t appear overnight. It’s the accumulated result of several years of compliance inertia meeting a suddenly real enforcement timeline.
DFARS 7012 has been in contracts since 2017, and most contractors treated it as aspirational. The clause required implementing NIST 800-171 security requirements. It didn’t require proving implementation to an independent assessor, though DFARS 252.204-7020 later added DoD-conducted assessments and SPRS score submission. Without verification, the natural tendency was to report optimistic compliance and move on. For eight years, the compliance model was self-attestation with minimal consequences. That created a culture where “good enough” was the standard and the gap between claimed and actual compliance widened quietly.
Self-assessment scoring has been generous. The SPRS scoring methodology is well-defined, but when an organization grades its own paper, optimism is structural. A control that’s “mostly implemented” becomes MET. A policy that exists in draft becomes documented. Evidence that hasn’t been tested against assessment objectives passes internal review. The resulting SPRS scores look better than the actual compliance posture would support under independent evaluation.
The documentation standard for CMMC is higher than most contractors realized. DFARS 7012 required implementation. CMMC requires proof of implementation at the assessment-objective level, with traceable evidence for each of the 320 objectives. Contractors who implemented controls but didn’t build the documentation and evidence infrastructure are technically closer to compliant than their documentation suggests, but an assessor evaluates what you can demonstrate, not what you believe you’ve done.
Want to know where you actually stand? Check your readiness to see how your environment maps against the 320 assessment objectives, not just the 110 controls.
Small contractors face disproportionate barriers. The defense industrial base includes thousands of companies with fewer than 50 employees. These organizations don’t have compliance teams, security architects, or dedicated IT budgets for certification preparation. For any contractor handling CUI, the same 110 requirements apply to a 15-person machine shop as to a 5,000-person systems integrator. The smaller the organization, the more the compliance burden feels like it was designed for someone else.
What the Readiness Gap Means for Different Contractors
If you’re in the 1% (or close to it): You hold a significant competitive advantage that will only grow as enforcement expands. Primes are building supply chains from contractors who can demonstrate certification readiness. Being ahead of the curve means you’re on the preferred list for teaming arrangements and subcontract awards while your competitors are still scrambling.
Mid-preparation? The gap data should motivate, not discourage. You’re ahead of the vast majority of the market. The contractors who are currently in active preparation, closing gaps, building documentation, collecting evidence, will be in the strongest position when enforcement phases require certification. Progress matters more than perfection here.
Haven’t started yet? The readiness gap means your competitors haven’t started either, which sounds like comfort but isn’t. The 99% of unprepared contractors will all be competing for the same limited pool of C3PAO assessors, RPO advisors, MSP capacity, and compliance platform bandwidth. The advantage of starting now isn’t just being ready sooner. It’s avoiding the crunch when everyone else realizes they need to start simultaneously.
Among contractors we’ve worked with, those who started preparation with more than 12 months of runway cut costs and reduced organizational disruption compared to those who compressed the timeline under pressure. The work is the same. The experience of doing it under deadline versus doing it with breathing room is not.
The Cost of the Gap
The readiness gap carries real economic consequences for the defense industrial base.
Contract eligibility risk. As CMMC requirements appear in solicitations, contractors without the required certification status can’t bid. Every month of delay in starting preparation is a month closer to a solicitation where you’re locked out.
Supply chain fragility. Primes rely on subcontractor networks to perform on DoD contracts. If the majority of subs can’t demonstrate CMMC readiness, primes face supply chain constraints that affect program execution. This isn’t abstract. Program managers are already identifying subcontractor CMMC readiness as a risk factor in their program risk registers.
Concentration of advantage. In markets where compliance creates barriers to entry, early movers capture disproportionate share. The 1% of contractors who are CMMC-ready today are positioned to absorb work from the 99% who can’t bid on contracts that require certification. That dynamic rewards early investment and penalizes delay.
What Closes the Gap
The readiness gap won’t close through individual effort alone. It requires the ecosystem to scale.
More C3PAO capacity. The assessor bottleneck constrains how quickly contractors can move from prepared to certified. As more C3PAOs achieve authorization and more assessors complete training, throughput increases. But capacity growth takes time.
Tooling matters too. The documentation and evidence requirements for 320 assessment objectives across 110 controls don’t scale through manual effort. Platforms that manage the compliance workflow end-to-end compress preparation timelines from years to months and free practitioners to focus on judgment work.
Clearer guidance from primes. Subcontractors who don’t know their CMMC obligation can’t prepare for it. Primes who communicate requirements early and clearly help their supply chain prepare in time.
Then there’s the timeline problem. Contractors who understand that 12 to 18 months of preparation is typical, that documentation takes longer than remediation, that evidence collection is ongoing rather than a pre-assessment sprint, plan accordingly. Contractors who assume they can get certified in 90 days discover the gap the hard way.
The Opportunity in the Gap
There’s a less obvious reading of the 1% readiness statistic. For the contractors who are investing in compliance now, the gap is a moat.
When 99% of your competitors can’t bid on CMMC-required contracts, your addressable market expands. When primes are desperate for certified subcontractors, your negotiating position improves. When the industry eventually catches up, you’ll have years of continuous compliance data, refined documentation, and assessment experience that new entrants will be building from scratch.
The readiness gap is a problem for the defense industrial base. For individual contractors willing to invest now, it’s an opportunity with a limited window.
Deep Fathom exists to close the readiness gap faster. The platform supports contractors and their advisors from initial scoping through gap assessment, remediation, documentation, evidence collection, and assessment preparation. The contractors working with Deep Fathom aren’t in the 99%. They’re building the compliance programs that make the 1% statistic irrelevant to their business.
Related reading: